Companies House has restored its WebFiling service after fixing a security flaw introduced in October 2025 that exposed data for up to five million registered companies. The flaw, reported by Dan Neidle after Ghost Mail’s John Hewitt’s warning went unanswered, allowed logged-in users to access other companies’ dashboards and view sensitive details such as dates of birth, residential addresses and company email addresses. #CompaniesHouse #WebFiling
Keypoints
- Companies House took WebFiling offline to fix a vulnerability introduced in October 2025.
- The flaw let logged-in users access other companies’ dashboards by using the “file for another company” flow and the browser back button.
- Data for up to five million companies, including dates of birth, residential addresses and company email addresses, may have been exposed.
- Companies House says passwords and identity verification documents were not accessed and that filed documents could not have been altered.
- The agency has reported the incident to the ICO and NCSC and is investigating whether any records were accessed or changed without permission.